One thing that has become quite clear over the last few years is the fact that cybersecurity goes beyond the purely technological: it is a set of practices. According to Javier Diéguez, director of the Basque Cybersecurity Centre, we now understand that cybersecurity involves an element of best practices and enterprise risk management. This has given our discipline a much more transversal role. Security is now taken into accou-nt as a critical factor at a managerial level in businesses, and not just as a concern for the IT department.
Javier has over 15 years’ experience in the corporate and industrial security sector, and was chosen to set up the Basque Cybersecurity Centre. Diéguez also makes up part of the team of experts that collaborated with the National Center for the Protection of Critical Infrastructures (CNPIC) to help define the sectoral strategic plans for the electricity sector. Here’s what he had to say:
What does your job as the director of the Basque Cybersecurity Centre entail?
I was hired to create the BCSC from scratch, managing a series of short-term objectives such as organizing the centre itself and establishing relationships with other national and European agencies. I was also tasked with constructing basic services to increase the maturity of the Basque cybersecurity industry, fostering a corporate culture of protection and defense.
As well as having a particular awareness of how important it is to protect industry and to encourage competitiveness, the Basque Country has a rather important emerging cybersecurity sector. There’s no other place with such a high concentration of cybersecurity startups and technology products. At the BCSC, it’s our obligation to develop that ecosystem and encourage it to grow, to search for international connections and opportunities; as it is a digital business, it can’t remain merely at a local level.
In your opinion, what are the most serious threats around these days?
The majority of complaints that we receive are related to all kinds of different fraud: from indiscriminate phishing to highly targeted attacks, like impersonating the CEO. In a more industrial environment, as is the economic core of the Basque Country, there are another two important types of attack. The first of these is sabotage: disrupting operations, which is less common, but can take on a lot of different forms in an industrial environment. And a second threat, one that is far more difficult to spot, is cyber espionage. This kind of attack is mainly about stealing intellectual property in order to get a competitive advantage and endanger a potential business rival, as well as stealing information about commercial strategies
A lot of your career has been dedicated to critical infrastructures, especially electrical infrastructures. What are the most common risks that affect that industry?
Attacks on businesses were considered nigh on impossible, or at least extremely difficult, until just a few years ago. However, nowadays the systems used by critical infrastructures are increasingly connected to the Internet, opening up more points of contact with the outside, especially for maintenance work. There needs to be a high level of surveillance to make sure that the perimeter, that surface that is exposed to the Internet, is properly protected. It is also important to make sure that networks are separated within the company, differentiating between critical networks and those that are less important. In this area, there’s still a lot of work to do: segmentation isn’t always as it should be, perimeters aren’t always well defined, and nor are they well protected against unauthorized access, either intentional or accidental.
There is also a series of problems related to the longevity and diversity of the systems and lifecycles of the systems that support critical infrastructures. The lifecycles of the systems in electrical infrastructures last decades. We see cases where systems from entirely different generations work side by side; many of them are legacy systems. It’s not uncommon, for example, to come across a Windows NT 4.0 operating system, which is from 1996. Maintenance for this software just doesn’t exist, and patches for these systems are no longer manufactured.
A third problem comes from the nature of the technology and the support policy that the manufacturers of the equipment have. A company like Siemens or Honeywell usually sets limitations so that their customers, the infrastructure operators, can add independent or external control mechanisms to the package of solutions that the manufacturer has sold. This limits the evolution of the protections in our environment.
How can a company increase its cyber-resilience?
Organizations need to diagnose their risk profile, and give themselves a check-up. To do this, the first thing that a company must do is to find a trustworthy partner. It is in the company’s interest to choose a cybersecurity partner that is independent of the organization, guided by the company’s managers, who know the business’s priorities. This means that they are able to establish priorities and determine the most important assets and processes that need to be protected. Once this profile and these priorities have been defined, a company can start to take steps. There are also many basic measures that need to be applied.